RE: [ActiveDir] Granting Exchange Mailbox Access

[Crawford, Scott]

The perm you’re looking for is Receive As on the Mailbox store.  The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes.  So even if you grant your group the required perms, if they’ve been delegated EFA, the Deny will override it.   I’d imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access   In an effort to cut down on service account abuse, I’ve been removing and reducing privileges left and right.  I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003.   Sometimes, the Exchange Administrators will need to access a user’s mailbox to assist with various issues, and I’m having trouble delegating that right to the members of the Exchange Full Administrators group.   I have created a domain security group named simply “Exchange Full Administrators”, and I delegated Exchange Full Administrator rights to that security group at the organizational level.  So anyone in that security group “should” have full administration rights.  I’ve had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however I’m having trouble finding exactly where to delegate rights to give this security group full access to everyone’s mailbox.   Any thoughts?   Thanks, ~Ben